Klaviyo logo
Disclosure Guide

How to disclose Klaviyo in your privacy policy

Klaviyo is an email and SMS marketing platform that also tracks anonymous website visitor behavior before any email or form submission. Its ActiveOnSite feature identifies anonymous visitors who are in your Klaviyo list and tracks their browsing, creating disclosure obligations that go beyond standard email marketing consent.

Last reviewed by Lokker Privacy Engineering

Not legal advice

The example language on this page is provided for educational purposes only. It is not legal advice and does not create an attorney-client relationship. Privacy laws vary by jurisdiction, sector, and the specific technologies you deploy. Always have a qualified privacy counsel or attorney review your privacy policy language to ensure it accurately reflects your actual data practices and complies with applicable law. Policy text alone does not make you compliant: your technical controls must match what the policy describes.

Data collection

What data Klaviyo typically collects

This is what your privacy policy needs to describe. Be specific: vague references to "usage data" or "technical information" are not sufficient in most jurisdictions.

  • Email addresses and contact attributes from signup forms and checkout flows

  • Email engagement data: opens, clicks, unsubscribes from Klaviyo-sent campaigns

  • Website behavioral events via Klaviyo.js: page views, viewed product, added to cart, started checkout

  • ActiveOnSite: identifies known email subscribers browsing anonymously and tracks their site behavior

  • Phone numbers for SMS marketing when SMS is enabled

  • Order and purchase history from connected e-commerce platforms

  • Klaviyo cookie identifiers (__kla_id) linking anonymous visits to email contacts

Processing purposes

Purposes to describe in your policy

Privacy laws require you to specify the purpose for each category of data processing. These are the purposes typically associated with Klaviyo.

  • Email marketing and automated campaign delivery

  • SMS marketing for transactional and promotional messages

  • Triggered flows based on browsing behavior (abandoned cart, browse abandonment)

  • Segmenting contacts by purchase history and behavioral signals

  • Personalization of email content based on on-site behavior

Jurisdiction notes

US and EU compliance considerations

These are representative notes, not exhaustive legal guidance. Laws continue to evolve and your counsel should review the current requirements for each jurisdiction where your visitors reside.

United States

Klaviyo processes personal information including email addresses, purchase history, and behavioral data that constitutes personal information under the CCPA and CPRA. ActiveOnSite combines behavioral tracking with email identity resolution, which is a processing activity that may not be expected by visitors who provided consent only for transactional email. SMS marketing requires prior express written consent under TCPA. GPC signals must be honored for any advertising-related use of the data.

EU and UK (GDPR)

Under the GDPR, Klaviyo email marketing requires a lawful basis: consent for marketing emails, or legitimate interests for certain transactional messages. Klaviyo.js website tracking and ActiveOnSite require consent under the ePrivacy Directive and GDPR. Your policy must identify Klaviyo as a data processor, describe the legal basis for each use case, and cover data transfers to Klaviyo Inc. in the United States under Standard Contractual Clauses.

Example language

Illustrative policy language for Klaviyo

The examples below are starting points for discussion with legal counsel. They are not approved or jurisdiction-complete language. Your policy must accurately reflect your actual technical configuration and comply with the laws of the jurisdictions where your visitors reside.

Email marketing and tracking table row

Klaviyo (Klaviyo, Inc.): Email and SMS marketing platform that also tracks website behavior for campaign personalization and automated flows. Email campaigns include engagement tracking pixels. Website behavioral data linked to email contacts via the __kla_id cookie. Category: Marketing and email.

Full email marketing and behavioral tracking disclosure

We use Klaviyo, an email and SMS marketing platform provided by Klaviyo, Inc., to send marketing communications, automate flows triggered by your behavior, and personalize content based on your interests. Klaviyo's tracking code operates on our website and collects behavioral data including pages viewed, products viewed, and cart interactions. If you are subscribed to our email list and visit our website while identifiable to Klaviyo (for example, after clicking a link in one of our emails), Klaviyo may associate your browsing activity with your email profile. Our email campaigns sent through Klaviyo include standard email tracking pixels that record when messages are opened and links are clicked. Klaviyo processes data under a data processing agreement as a data processor acting on our behalf. Data is transferred to Klaviyo Inc. in the United States under Standard Contractual Clauses. Where consent is required by applicable law, Klaviyo website tracking will only activate after you have provided consent through our consent management platform.

Configuration checklist

CMP and tag manager checklist

An accurate policy is only useful if the technical controls behind it work correctly. These are the configuration points to verify for Klaviyo.

  1. 1

    Categorize Klaviyo.js under "Marketing" or "Email Marketing." It is not Strictly Necessary because it tracks behavioral data beyond what is needed to deliver a requested service.

  2. 2

    ActiveOnSite is an identity resolution feature: it identifies known email subscribers browsing anonymously. In opt-in markets, this requires the visitor's consent both as an email subscriber and as a website visitor subject to behavioral tracking.

  3. 3

    Email tracking pixels are separate from website cookie consent. EU and UK subscribers may need a separate consent mechanism or a clearly disclosed legitimate interest for email open and click tracking.

  4. 4

    SMS consent must be separate and prior express written consent under TCPA in the United States. Klaviyo's opt-in form text must accurately describe the SMS program.

  5. 5

    Use Consent Validator to verify that Klaviyo.js does not contact its collection endpoint before CMP consent is granted in the marketing or email category.

Policy vs practice

What policies say versus what Lokker validates

These are common gaps between Klaviyo privacy policy language and what actually happens in the browser. Checking only inside each SaaS admin (CMP, tag manager, or vendor console) rarely answers whether the full stack works together. Lokker tests from the outside: consent state, tag firing, and network requests viewed as one system.

What the policy says

  • Policies describe Klaviyo only as an email delivery platform, without disclosing the Klaviyo.js behavioral tracking component or ActiveOnSite identity resolution.

  • Policies state that email marketing consent covers all Klaviyo processing activities.

  • Policies describe email tracking as standard practice without noting that open and click tracking may require separate disclosure for EU subscribers.

What Lokker validates

  • Klaviyo.js loads on every page and collects behavioral data from all visitors, including anonymous visitors who have never submitted an email address. Lokker confirms whether Klaviyo.js fires before consent and whether it contacts its tracking endpoint for anonymous sessions.

  • Email subscription consent covers receiving email campaigns. It does not automatically authorize website behavioral tracking, ActiveOnSite identity resolution, or behavioral trigger-based automated flows. Lokker identifies whether website-level Klaviyo tracking occurs for visitors who have not consented to website behavioral tracking.

  • Klaviyo email tracking pixels set cookies or make network requests when emails are opened or links are clicked. For EU and UK subscribers, email tracking may require a separate legitimate interest assessment or consent. Lokker can identify whether these tracking requests are consistent with disclosed practices.

Consent Validator tests your site from the outside, not inside each vendor admin. It runs automated flows across accept, reject, no-interaction, and GPC states and checks whether Klaviyo loads through your CMP and tag manager, whether consent signals are honored, and whether any call to that vendor still occurs when the visitor has opted out.

Questions

Klaviyo privacy policy FAQ

What is Klaviyo ActiveOnSite and does it need to be disclosed?
ActiveOnSite is a Klaviyo feature that identifies known email subscribers who visit your website without being logged in, using the __kla_id cookie set when they previously clicked an email link. When identified, Klaviyo tracks their browsing behavior and can trigger automated flows like browse abandonment emails. This is a distinct processing activity that combines email identity with behavioral tracking and must be described in the privacy policy. Visitors who receive browse abandonment emails should understand why and how their behavior was tracked.
Does Klaviyo email marketing require GDPR consent?
Yes, for promotional and marketing emails. GDPR requires a lawful basis for each processing activity. For marketing email, the standard basis is freely given, specific, informed, and unambiguous consent. Klaviyo website behavioral tracking via Klaviyo.js additionally requires prior consent under the ePrivacy Directive, separate from the email marketing consent. A subscriber who has not consented to cookie-based tracking should not be subject to Klaviyo.js behavioral collection when they visit the website.
What are the TCPA requirements for Klaviyo SMS marketing?
The Telephone Consumer Protection Act (TCPA) requires prior express written consent before sending marketing text messages to US phone numbers. For Klaviyo SMS, this means obtaining consent through a clearly disclosed opt-in mechanism, retaining evidence of consent, and providing clear opt-out instructions in every message. Klaviyo provides compliance features for SMS opt-in and opt-out flows, but legal review is required to confirm that the consent language and mechanism meet TCPA requirements for the specific program.

References

Sources and citations

Regulatory guidance, enforcement decisions, and legal cases referenced on this page.

Regulatory guidance

Explore further

Related resources on Klaviyo

Compare alternatives

Tool comparison guide

Related law guidance

ccpa-cpra

Same category

Related disclosure guides

HubSpot logo

HubSpot

How to disclose in your privacy policy

Intercom logo

Intercom

How to disclose in your privacy policy

Validate technical compliance

Confirm that Klaviyo fires only when it should

Verify that Klaviyo's website tracking pixel does not fire for anonymous visitors before consent and that ActiveOnSite behavioral events are correctly gated.

See Consent Validator All disclosure guides